You must be an organisation Administrator to carry out these actions.

The first action required to grant an auditor or external consultant is to set them up as a user on your

Navigating to the 'Create new user' page:

  1. Scroll over your name and image in the navigation bar

  2. Click 'Organisation settings'

  3. Click 'Users'. This will take you to the registered user's page

  4. Click 'Create new user'. This will take you to the create a new user page

Creating a user for your auditor or external consultant

First, you will want to ensure you have a custom subdomain set up for your ISMS, this is because your auditor may already have an account on another ISMS platform, and this may cause issues logging in if that customer also does not use a custom subdomain. We have this guide on how to set up a custom subdomain.

From the user creation page, you can then enter the auditor's information, including their First name, Last name, Email address, Organisation and Role on the platform.

We then suggest that you Team in your auditor or external consultant to the Work areas that you would like to grant them access to.

To do this, expand the options below the heading 'Add them to some work areas', and click on the radio button relevant to the Work area that you would like to grant the user access to.

By selecting 'Select all work areas that were set up with your organisation's ISMS', you can automatically grant them access to all areas that were provisioned when your platform was created.

Users can also be added to Work areas after they have been created. See here for a guide on how to An Introduction to Teams Team in users.

Work areas that you might want to give that user access to

If you want to grant an auditor access to your Work areas related to ISO 27001:

  • ISMS Cluster
  • ISO 27001:2013 Policies and Controls Project
  • ISMS Board Group
  • ISMS Communications Group 
  • ISMS Corrective Actions & Improvements Track
  • Information Asset Inventory (ISO 27001) Track
  • Security Incident Management Track
  • Policy Packs Administration (if Policy Packs are used)

If you are subscribed to the GDPR module and an external consultant requires access to your Work areas related to GDPR:

  • GDPR Compliance for ICO - With ISO 27001 Project
  • LIA and DPIA Project
  • Personal Data Inventory & Records Processing Track
  • Subject access Requests Track

If you are subscribed to the ISO 22301 BCMS module and an external consultant requires access to your Work areas related to BCMS:

  • BCMS Cluster
  • ISO 22301:2012 Policies and Controls Project
  • BCMS Incident Response Track
  • Business Impact Assessment (BIA)Track

Note: If you use supplier accounts you may also want to grant the Auditor or external Consultant access to your accounts on You can grant access to all accounts by giving that user the Accounts Overview permission.

Please amend the auditors email address once audit is finished, so it is free to use by others then deactivate the auditor.

If the Auditors Email is already taken

If you get the message that an auditors email is already taken, it may be that you have not set up a custom subdomain on your platform. If this is the case, and the auditor has used their email address on another platform, it may trigger this message as the email is already in use elsewhere. Once you set up a custom subdomain, you should be able to add this email as though it were a new user. To set up a custom subdomain, simply carry out the steps in the guide linked here.

If you do have a custom subdomain set up, and are still receiving this message- check that the auditor has not already been set up. They may exist as a deactivated user within your user list.

If you require any further assistance, do reach out to our support team on the live chat or email us at

If the auditor cannot log in

If the auditor's email isn't in use, but they don't receive the welcome email they should make sure they check their spam/junk folder. If the welcome email is not there, they should email us at